I don't know where this came from but I've ran all kinds of removal tools and nothing is found. Anyone know what it is?

Do they do anything?

Maybe it's just edited your background pic?

When i place the cursor over each block a pop-up appears to take me to a new website.

Wow, spyware that changes your wallpaper? That would be fricking NASTY.

Anyway, have you tried Ad-Aware and Spybot?

Tried both. Comes back as clean. I got the firewall to block the webpage that pops up but obviously something is running in the background that doesn't show in my processes list.

Nothing on active desktop either. Good suggestion though.

Newcastle Brown? For when I get so hacked off with it that I need a drink?

You regularly buy kegs at a time then?

You might need to check for rootkits.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

What tools have you tried? Some that I recommend are Spybot Seach and Destroy, AD-Aware SE, Hijack This, Microsofts Antispy.
As for a virus scanner NOD32 is more than 5 times fasters than any other scanner and it detects/cleans more than the others.

If you can't get it off I can ship you an ultimate boot cd.

Did you run your removal tools while booted to safemode without networking? All spyware cleaning should be done in safe mode.

Download HijackThis, which can scan for spyware and show running processes. While you're getting Rootkit Revealer, pick up Autoruns and Process Explorer. The latter will show which DLLs are associated with processes. Check the properties of these DLLs; recent creation date and missing meta-information are suspicious. Google searching the DLL names may also help.

Try using reged32.exe <regedt32? i forget> to browse your registry for malicious entries. I think that's the only program which can see the otherwise hidden overlong key names. Searching Google for the overlong key name invisibility bug may turn up more.

Maybe this is a Browser Helper Object (BHO) attached to your Active Desktop... which is just plain nasty. There is a good BHO remover, but I don't remember the name. You can find them in the reg key HKLM\Software\Microsoft\Windos\CurrentVersion\explorer\Browser Helper Objects. Their SIDs (long numeric names) are listed as subkeys. Copy the SID, go to the top of the registry, and run a search for the SID. Each should have an entry in HKLM\Software\CLASSES\CLID. Search your hard drive for the DLLs referenced in the subkey, and if they are suspiciousm delete the DLLs, CLSID key, and Browser Helper Object key.

Or, this could be very nasty, just above rootkit nasty, and be attaching itself to Winlogin or another early-loading service. Worst case, boot to safe mode with command prompt, run HijackThis (which loads in GUI), and use that to launch your other removal tools. As long as you don't run Explorer.exe, the hacked fundamental services won't load and you'll have full access to your own system.

And there are many spyware forums out there, so maybe someone has posted removal instructions. Good luck.

I am also having an issue with another spyware piece, Virtumundo. I can't even seem to delete it in safe mode, it says the file is in use. Apparently, it's attached itself to the login procedure, so since I still have to log in in safe mode, it gets launched. The only way I can think of is to remove the drive and pop it into a different machine. I was hoping for a more elegant solution though.

Hmmm... Does knoppix support ntfs? If so I'll d/l it first thing tomorrow.

Command-line-only safe mode?

I nuked Virtumundo off a machine a few weeks ago. I found the procedure online someplace. It took a few minutes, involved some software, namely 'CleanUp40.exe' and 'VundoFix.exe'. I have the applications if you PM me an address (too big to attach) I'll send them to you. I don't recall keeping the instructions, so you'll have to google around.

-Zeke

Mentioned at the end of my previous rant, if the spyware loads in safe mode, you'll have to boot to "Safe mode with command prompt."

First, boot to regular GUI safemode and copy all of your spyware tools from a CD to the machine. Run HijackThis and see which malicious DLLs are attached to the fundamental services like Winlogin. Also HijackThis and Process Explorer will show you hidden processes that Task Manager can't, so make note of those.

Then reboot to safe mode command prompt, and start HijackThis. It loads graphically (like everything else will) so use its Run ability to browse directory trees to your other spyware tools.

My Winlogin cleaning notes are not on hand, but here's a start. Since you know the malicious DLL and EXE names, find and delete them. You may need to access the Services portion of the registry (I think it's triplicated, so check each one). Remove references to the bad files and, possibly, recreate good references to the real files by retyping the info from a known good computer.

Cleaning spyware by hand is fun. Too bad it's so well hidden that I don't see it anymore.

I found the page I used when I got rid of the Virutomondo issue:

http://forum.tweakxp.com/forum/Topic181585-29-1.aspx

Please note that the file name they use in the example is NOT THE ONE YOU'LL SEE. Virutomondo randomly generates a file name and you have to look through your HiJackthis logs to find the name. Once you have that you can follow the instructions as posted in the link above.

-Zeke

Kick Bootie... Thanks.

As far as nuking the machine, if it were mine, I would have long ago. Unfortunately, it's a local judge who has no compunction paying me $65 per hour to grind the spyware away and leave his data as intact as can be. I'm happy to oblige.

This morning I thought about command prompt mode, since the adware attaches itself to the logon script. Command mode requires no login - unless you run explore. I figured that was the next step but have't been back to his house to try it.

I just need to vent. F-U-C-K WINDOWS. I pulled out an old laptop I'd shelved (because I got sick of wiping viruses and adware off of it for Kelly and made her get an iBook) and slapped XP on it for my brother. Put on Firefox. And it took him all of TWO DAYS to get a virus/adware on it that I've now spent 3 f'n hour trying to get off. I'm so sick of this bullshite. I don't know how the huge majority of the people that use windows and don't know jack about computers deal with this stuff. There must be MILLIONS of infected computers out there that people just deal with. Firefox is no longer immune apparently. AAAAAAAARRRRHHHHGHGHG.

[/vent]

I'd bet that it was installed after downloading. Get MyUninstaller and check out the list of installed programs. If it did get installed thru firefox I would suspect that it used javascript and would recommand installing NoScript. As for a virus scanner NOD32 is the best virus scanner I have ever used. It doesn't really get in the way unlike everything else I've tried. As an example start Azureus after booting up Windows. When running Mcafee Azureus can take 3 to 5 minutes to start and with NOD32 it takes less than 10 seconds.

Maybe see if you could restore it to a previous restore point and see if it gets rid of it? though that might cause you to loose some data but figured id mention it

Thanks for the tips!

This is sort of exactly my point. I shouldn't have to do this. It never ceases to infuriate me and want to chuck all of my windows CDs out the window har har.

Aaaaagh. I need to format and reinstall. 'Take off and nuke the site from orbit. Its the only way to be sure'.